Start of change

BIND SERVICE (DSN)

The BIND SERVICE (DSN) subcommand builds an application package that represents a Db2 REST service. Db2 records the description of the service in the catalog tables and saves the prepared package in the directory.

Environment

You can issue BIND SERVICE from a DSN session under TSO that runs in the foreground or background.

Data sharing scope: Group

Authorization

The package owner must have the required authorization, such as the SYSADM authority, to execute the SQL statement embedded in a package and to build the package. If BIND SERVICE is issued in a trusted context defined with the ROLE AS OBJECT OWNER clause, the package owner must be a role with the role ownership to execute the command. If the OWNER option of the command is specified, the owner will be assumed a role. If the OWNER option is not specified, the role of the binder becomes the owner. If the trusted context is not specified with the ROLE AS OBJECT OWNER clause, the current rules for BIND ownership apply.

For VALIDATE(BIND), Db2 verifies the authorization at bind time. For VALIDATE(RUN), Db2 verifies the authorization initially at bind time, but if the authorization check fails, Db2 rechecks it at run time. The following table summarizes the authorization required for running BIND SERVICE, depending on the bind options that you specify and, in the case of the ACTION (ADD) option, the value of the BIND NEW PACKAGE field on installation panel DSNTIPP1:

Table 1. Required privileges for BIND SERVICE options
Bind option Installation panel field BIND NEW PACKAGE (BINDNV subsystem parameter) Authorization required to run BIND PACKAGE
ADD, using the default owner or primary authorization ID BINDADD The primary authorization ID (default owner) or role must have one of the following to add a new package to a collection:
  • The BINDADD system privilege and either the CREATE IN privilege or PACKADM authority on the collection or on all collections
  • SYSADM, SYSCTRL, or system DBADM authority
ADD, using the default owner or primary authorization ID BIND The primary authorization ID (default owner) or role must have one of the following to add a new package to a collection:
  • The BINDADD system privilege and either the CREATE IN privilege or PACKADM authority on the collection or on all collections
  • SYSADM, SYSCTRL, or system DBADM authority
  • PACKADM authority on the collection or on all collections
  • The BIND package privilege
ADD, specifying an OWNER other than the primary authorization ID1 BINDADD

If any of the authorization IDs or roles of the process has SYSADM authority, SYSCTRL authority, or system DBADM authority, OWNER authorization-id can be any value, when subsystem parameter SEPARATE_SECURITY is set to NO. If any of the authorization IDs has the BINDAGENT privilege granted from the owner, authorization-id can specify the grantor as OWNER. Otherwise, the OWNER authorization-id must be one of the primary or secondary authorization IDs of the binder.

If you specify OWNER authorization-id , Db2 first checks the OWNER and then the binder for the necessary bind privilege.

If the binder does not have SYSADM, SYSCTRL, or system DBADM authority, the authorization ID or role of the OWNER must have one of the following to add a new package to a collection:

  • The BINDADD system privilege and either the CREATE IN privilege or PACKADM authority on the collection or on all collections
  • SYSADM, SYSCTRL, or system DBADM authority
ADD, specifying an OWNER other than the primary authorization ID1 BIND

If any of the authorization IDs or roles of the process has SYSADM authority, SYSCTRL authority, or system DBADM authority, OWNER authorization-id can be any value, when subsystem parameter SEPARATE_SECURITY is set to NO. If any of the authorization IDs has the BINDAGENT privilege granted from the owner, authorization-id can specify the grantor as OWNER. Otherwise, the OWNER authorization-id must be one of the primary or secondary authorization IDs of the binder.

If you specify OWNER authorization-id , Db2 first checks the OWNER and then the binder for the necessary bind privilege.

If the binder does not have SYSADM, SYSCTRL, or system DBADM authority, the authorization ID or role of the OWNER must have one of the following to add a new package to a collection:

  • The BINDADD system privilege and either the CREATE IN privilege or PACKADM authority on the collection or on all collections
  • SYSADM, SYSCTRL, or system DBADM authority
  • PACKADM authority on the collection or on all collections
  • The BIND package privilege
Note:
  1. If both the OWNER and the binder do not have the necessary bind privilege and the IFCID 140 trace is active, a trace record is written with details about the authorization failure.

Syntax

Read syntax diagramSkip visual syntax diagram BIND SERVICE (location-name.1 collection-id)name-blockDESCRIPTION(description-string)OWNER(authorization-id) QUALIFIER( qualifier-name) ACTION(ADD)CURRENTDATA(NO)DEFER(PREPARE)NODEFER(PREPARE)DEGREE(1ANY) DESCSTAT(YES)ENCODING(UNICODE)SQLERROR(NOPACKAGE)EXPLAIN(NOYES)GETACCELARCHIVE(NOYES)IMMEDWRITE(NOYES)ISOLATION(CSRRRSURNC)REOPT(NONE2ALWAYS3ONCEAUTO)OPTHINT( ' hint-id' )ACCELERATOR( ' accelerator-name' )ACCELERATIONWAITFORDATA( ' nnnn.m' )PATH(,schema-nameUSER)ROUNDING(CEILINGDOWNFLOORHALFDOWNHALFEVENHALFUPUP)QUERYACCELERATION(NONEENABLEENABLEWITHFAILBACKELIGIBLEALL)RELEASE(COMMITDEALLOCATE) VALIDATE(RUNBIND)CONCURRENTACCESSRESOLUTION(USECURRENTLYCOMMITTEDWAITFOROUTCOME) APREUSE(NONEERRORWARN) APCOMPARE(NONEWARNERROR)BUSTIMESENSITIVE(YESNO)SYSTIMESENSITIVE(YESNO)ARCHIVESENSITIVE(YESNO)APPLCOMPAT(function-levelV12R1V11R1)
Notes:
  • 1 The location name can only be specified when the COPY option is specified.
  • 2 NOREOPT(VARS) can be specified as a synonym of REOPT(NONE)
  • 3 REOPT(VARS) can be specified as a synonym of REOPT(ALWAYS)

name-block

Read syntax diagramSkip visual syntax diagramNAME( service-name)VERSION(version-id)SQLDDNAME( ddname)SQLENCODING(EBCDICASCIIUNICODEccsid)DATE(EURISOJISLOCALUSA)TIME(EURISOJISLOCALUSA)DEC(1531)DECDEL(PERIODCOMMA)STRDEL(APOSTROPHEQUOTE)COPY( collection-id.service-name)COPYVER( version-id)OPTIONS(COMPOSITECOMMAND)

Option descriptions

For descriptions of the options shown in the syntax diagram, see BIND and REBIND options for packages, plans, and services.

End of change